"Here you have" Spam With a URL That Leads to Malware

WRITTEN BY

Jovi Umawing

Background of the Attack

On September 9, 2010, Trend Micro received reports of a spammed message that contained a clickable link that led to a worm. The spammed messages used any of these following subjects: "Here you have", "Just for You", and "hi". These also contained an embedded link, which was found to host a malware that users could unknowingly download. A sample of the spammed message is shown below:

Upon further probing, Trend Micro researchers found that this spam campaign may have started around July 17 or earlier. Initial samples of the spam were initially sent to people with "Human Resource" or "Admin" email addresses from various companies. Samples were also sent out to people in the military. The first wave of this spam campaign typically used the following messages:

Hello, This is my CV. I hope I can Find a Job

I have worked in Human Right Community and would like to work with you. This is my CV including personal picture

The usual subjects of these spam include "MY CV" or "to af union." In addition, around July 29-August 3, it was seen to specifically target members of the African Union. As such, the spam campaign may have been initially targeted.

How do users get this Web threat?

This threat arrives via spammed messages that enticed users to click on an embedded link. TrendLabs received several variations of the message, including one that promoted free movies. Another sample purportedly provided a link to a .PDF file. Checking the said URLs, however, revealed that both versions of the embedded URL led to the download of WORM_MEYLME.B onto their systems.

What happens once the threat gets inside computers?

Once executed, WORM_MEYLME.B connects to specific sites to download files detected as HKTL_PASSVW.A and HKTL_PASSVIEW onto the affected system. Both of these are tools to gather information from the system. In particular, HKTL_PASSVW.A gathers passwords stored in the system such as MS Outlook passwords, passwords stored in AutoComplete and password-protected sites stored in Internet Explorer and MSN Explorer. On the other hand, HKTL_PASSVIEW is used as a password recovery tool for various Windows applications. This worm also downloads a backdoor, detected by Trend Micro as BKDR_BIFROSE.SMU.

It also deletes services that disable antivirus applications, rendering the affected system unprotected. WORM_MEYLME.B also uses a VB script (detected as VBS_MEYLME.B) found in the malware code to list down all pf the network users and drops a copy of the worm using the file name N73.Image12.03.2009.JPG.scr.

This worm gathers email addresses from MS Outlook contacts and uses Messaging Application Protocol Interface (MAPI) to send messages with a link to a copy of itself. It also gathers email addresses from an affected user's Yahoo! contact list and uses the tool SendEmail to distribute email messages with the specific details. This worm also makes use of Gmail as its SMTP server to send messages using certain user name and password pairs as credentials. The messages it sends contain the link http://{BLOCKED}s.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr, which leads to a copy of the worm.

WORM_MEYLME.B spreads via removable drives. It drops a copy of itself into all removable drives connected to an affected user's system. It then drops an AUTORUN.INF file to automatically execute dropped copies when these drives are accessed.

This worm also uses a script detected as VBS_MEYLME.B, which is found in its code to list down all of the network's users. It then drops a copy of the worm as N73.Image12.03.2009.JPG.scr or {computer_name} CV 2010.exe in drives C to H of the affected computer. A copy is then dropped into shared folders, specifically in New Folder, music, and print. It also forces the %Windows%\system folder to be shared as \\{computer_name}\updates.

What is noteworthy about this attack?

This threat is noteworthy for several reasons. This worm proliferates via spammed messages with varying subject headings and addressed to key people such as those from companies' human resources departments or the military, which may add to the credibility of the source of the email message. Second, its routines perform significant changes in the registry, including: (1) deleting the registry key wuauserv to prevent Windows from performing updates; (2) adding registry keys to ensure its execution whenever an extensive list of files are run, and; (3) stopping and deleting antivirus applications.

More importantly, WORM_MEYLME.B renders the infected user systems vulnerable because it shares folders without the users' consent. It then installs several malware, including a backdoor application. It also steals important information, such as passwords used for browsers, instant messengers, wireless keys and remote desktop access among others.

Are Trend Micro product users protected from this threat?

Attacks like this, however simple it may seem, calls for traditional computer security to create a holistic approach in protection. The Trend Micro™ Smart Protection Network™ protects Trend Micro product users via the email reputation technology by effectively blocking spam. It also blocks access to the URLs where the copy of this worm is hosted and from which the worm downloads additional files. Furthermore, it detects and prevents the execution of WORM_MEYLME.B and all associated malware from affected computers.

What can users do to prevent this threat from harming computers?

It is important that users exercise caution when opening email messages and when clicking URLs. Clicking links in email messages that come from unknown senders is one of the easiest ways to fall prey to these kinds of attack.

Non-Trend Micro product users can also check their systems using HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. They can also use Web Protection Add-On to proactively protect their computers from Web threats.

From the Field: Expert Insights

"... this attack may have been initially targeted and is not really the resurgence of mass mailers... the attack may have gone haywire and infected others because of its propagation routines." —

Ivan Macalintal on how the attack affected a significant number of consumers